Usually I don’t bother installing appropriate (i.e. public/proper) HTTPS/SSL-certificates for management softwares and other “internal” software. However, making parts of Cisco Prime Infrastructure available for “outsiders” can be quite useful, hence I saw the need to install a proper certificate.
I recently had to do this while installing Cisco Prime Infrastructure 3.0, so I thought I’d document it, since it’s not as straight-forward as one would think. The last time I did the procedure, was after installing Prime Infrastructure 2.0 almost 2 years ago.
There are basically three steps;
1) Fetch CA + properly convert the certificate
2) Install the CA certificates
3) Install the actual certificate
Properly convert the certificate
This assumes that you already have a public certificate (i.e. from a proper CA), or at least a proper certificate from your internal PKI. We received ours as a .pfx file, so that’s what I’ll be using in my example. The procedure should be somewhat similar for other formats.
Also, make sure that you use OpenSSL v0.9.8. This is due to a bug (read about it here). That was the case for PI2.x, not sure if it’s needed in PI3.x.
First we fetch the CA1 and CA2 of our certificate provider;
wget -Obp-2-ca-1.cer http://www.buypass.no/cert/bpcl2.cer wget -Obp-2-ca-2.cer http://crt.buypass.no/crt/BPClass2CA2.cer
Then we can start working on our actual certificate (the .pfx file);
# Fetch the private key openssl pkcs12 -in mydomain.pfx -nocerts -out mydomain.key.pem # Decrypt the private key openssl rsa -in mydomain.key.pem -out mydomain.key.pem2 mv mydomain.key.pem2 mydomain.key.pem # Fetch the certificate openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.cert.pem # Convert to DER openssl x509 -outform der -in mydomain.cert.pem -out mydomain.cert.der
At this point we have the files we need.
Install the CA certificates
First we need to define a remote repository to access the files made in step 1). I’m using SFTP, but there are other options as well;
pi/admin# configure Enter configuration commands, one per line. End with CNTL/Z. pi/admin(config)# repository remote pi/admin(config-Repository)# user pi password plain supersecret pi/admin(config-Repository)# url sftp://foo.example.com//home/pi pi/admin(config-Repository)# end pi/admin# wr mem Generating configuration... pi/admin#
Then we can install the two CA’s;
pi/admin# ncs key importcacert Buypass2-CA-1 bp-2-ca-1.cer repository remote pi/admin# ncs key importcacert Buypass2-CA-2 bp-2-ca-2.cer repository remote
Install the actual certificate
Then we can finally install the certificate itself;
pi/admin# ncs key importkey mydomain.key.pem mydomain.cert.der repository remote
Then you could either reload or stop/start PI;
pi/admin# ncs stop pi/admin# ncs start # or pi/admin# reload